Description
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering

The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453).


This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2.

Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
Published: 2026-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Camel’s CXF and Knative header filters fail to block inbound Camel‑internal headers. The CxfRsHeaderFilterStrategy, CxfHeaderFilterStrategy, and KnativeHttpHeaderFilterStrategy only filter outbound Camel‑internal headers via setOutFilterStartsWith, but do not configure inbound filtering via setInFilterStartsWith. As a result, an attacker can craft HTTP requests containing Camel‑internal headers such as CamelExecCommandExecutable or CamelFileName to CXF‑RS or CXF‑SOAP endpoints. These injected headers are then forwarded to components that interpret them, such as camel‑exec or camel‑file, allowing the attacker to override configured values and perform remote code execution or arbitrary file writes.

Affected Systems

The vulnerability affects Apache Camel versions from 3.18.0 up to and including 4.14.5 and from 4.15.0 up to and including 4.18.1. The affected vendor is the Apache Software Foundation. Users running any of these releases are at risk until they apply a patch.

Risk and Exploitability

Exploitation requires only a crafted HTTP request to a CXF‑RS or CXF‑SOAP endpoint and no authentication. The CVSS score of 9.8 and EPSS score of < 1% indicate a high severity but low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the clear attack path and the potential for remote code execution warrant urgent remediation.

Generated by OpenCVE AI on June 4, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to 4.19.0; if using 4.18.x LTS upgrade to 4.18.2; if using 4.14.x LTS upgrade to 4.14.6.
  • If a patch cannot be applied immediately, enable inbound header filtering by calling setInFilterStartsWith on CxfRsHeaderFilterStrategy, CxfHeaderFilterStrategy, and KnativeHttpHeaderFilterStrategy to block Camel‑internal header names.
  • Remove or isolate camel‑exec and camel‑file components from routes exposed via CXF or Knative endpoints to eliminate the execution vector.
  • Monitor incoming requests for unexpected headers such as CamelExecCommandExecutable or CamelFileName and alert when they appear.

Generated by OpenCVE AI on June 4, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8364-hfqj-pwm6 Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
History

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache camel
CPEs cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
Vendors & Products Apache camel

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-791
References
Metrics threat_severity

None

 threat_severity

Critical

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Camel
Vendors & Products Apache
Apache apache Camel

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453). This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
Title Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering
Weaknesses CWE-178
References

Subscriptions

Apache Apache Camel Camel
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-21T03:55:16.379Z

Reserved: 2026-05-19T08:52:58.990Z

Link: CVE-2026-47323

cve-icon Vulnrichment

Updated: 2026-05-20T15:36:30.384Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:48.653

Modified: 2026-06-04T13:27:04.880

Link: CVE-2026-47323

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-19T12:25:49Z

Links: CVE-2026-47323 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T14:00:15Z

Weaknesses